No-cost System Lockdown, Part 2: Open Source IDS in Use : Page 3

Part 1 gave you a rundown of the most popular open source IDS solutions. Now learn how to protect your servers by employing common, practical uses for these solutions.

by Alexander Prohorenko

Nov 15, 2004

Page 3 of 3

Why Not Just Use Swatch?
Of course using Swatch would be much easier in this situation. For example, Swatch knows how to make an external call to a program once the rule has happened and Snort currently doesn't. On the other hand, Snort is much more flexible despite its less intuitive syntax.

Moreover, you should think twice before giving Swatch such powerful access-blocking capabilities. It could easily lock out your server just because of a single typo. Sometimes the right approach is letting your software do the job, but not when it deals with the only entrance to your servers—SSH or telnet.

For Demonstration Purposes Only
The examples in this article were only a presentation of the possibilities and the flexibility of IDS systems. They are not a correctly planned IPS. Do not use these examples on a production system with the expectation that they will make it safe—they won't.

IDS Is Not a Silver Bullet
Intrusion detection and prevention systems are very powerful helpers in securing your servers. However, always keep in mind that no system will meet your needs perfectly. To keep your server as secure as possible, be prepared to lend your personal touch with custom code and scripting.